April 2017

Auto Login URL - Less Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-034
* Project: Auto Login URL
* Version: 7.x, 8.x
* Date: 2017-April-05
* Security risk: 8/25 ( Less Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module lets you create auto login URLs programmatically on demand and
through tokens.

The module does not provide sufficient protection when generating login URLs.
An attacker could rebuild login URLs independently thereby logging in as
another user.

Book access - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-35
* Project: Book access (third-party module)
* Date: 12-April-2017

DESCRIPTION

This module alters the book module permissions model by letting you specify
access/modify/delete rights on a per-book basis. Normally, book-related
permissions provided by Drupal core apply across all books, but this module
will let you drill down as granular as to letting specific users have
specific rights for specific books.

Scheduler Workbench Integration - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-39
* Project: Scheduler Workbench Integration (third-party module)
* Date: 12-Apr-2017

DESCRIPTION

Provides integration between the Scheduler module and the Workbench
Moderation module.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466

@Base - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-040
* Project: @Base (third-party module)
* Date: 2017-April-12

DESCRIPTION

Provide some more API for developer to work with Drupal 7.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466

VERSIONS AFFECTED

* All versions.

Media - Critical - 1.x branch unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-042
* Project: Media (third-party module)
* Date: 12-Apr-2017

DESCRIPTION

The Media module provides an extensible framework for managing files and
multimedia assets, regardless of whether they are hosted on your own site or
a 3rd party site - it is commonly referred to as a 'file browser to the
internet'.

VERSIONS AFFECTED

* Only the 1.x branch is affected. The 2.x branch does not have this
vulnerability.

Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

* Advisory ID: DRUPAL-SA-CORE-2017-002
* Project: Drupal core
* Version: 8.x
* Date: 2017-April-19
* CVEID: CVE-2017-6919
* Security risk: 17/25 ( Critical)
* Vulnerability: Access bypass

DESCRIPTION

This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met: